Printable View
i was just wondering everyones thoughts, i think that implementing such a plan is so much work that its not worth it. configuring each machine with a firewall leaves way too much room for misconfiguration. granted it is possible it may be more secure if done correctly, but it seems to me that it takes away from the focus of doing your perimeter firewalls and DMZ correctly.
Some of my clients have asked me the same question. What I tell them is to first set up a strong firewall for their entire network. Once they are confident that it is working properly, they can implement individual firewalls on each computer. The clients who opted to do this hired me to write scripts to automate the task. Basically, the script enabled the server to send out the firewall software to each computer, install it and configure it to certain specifications, finally locking it down so that no unauthorized users could make changes to it. The advantage to such a set up is the fact that the administrator has complete control over what programs can and cannot access the Internet (effectively blocking chat clients, trojans, etc.). I think if you have the manpower to support it and the money to implement it, go for it. Just make sure you have a hardware firewall as well... software firewalls are great defense, but within a business, they should only be considered a second defense.
AJ
Host-based firewalls are useful in some cases, because they can do things that network-based firewalls can't, like veto operations based on user authorisation or program authorisation.
However, they are also less good because they can (potentially) be bypassed (by the user accidentally or deliberately) or simply turned off.
So the ideal is to have both kinds, however most companies rely on network-based firewalls, because they are
- Cheaper (sometimes less per box licencing)
- Easier to maintain centrally
- Harder to bypass
- Easier to perform auditing on etc
Also if an administrator accidentally configures the central control program to firewall out its own control commands, he's got to run around a lot of boxes to fix his error :)
Distributed security makes sense if properly administered. In our environemnt changes occur at a very low frequency. When changes do need to be implemented our change management process and roll-back plan make distributed our distributed security infrastructure manageable.
I believe that distributed security infrastructures should address the organizations security policy at multiple levels with different technologies.